Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories.
NOTE: Except where indicated, this report is released as TLP: CLEAR, and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
Table of Contents
Russian APT28 hackers targeting high value orgs with NTLM telay attacks.
(TLP: CLEAR) APT28 is a Russian state-sponsored hacking group that has been active since at least 2009. They are known for their use of spear-phishing campaigns and social engineering to gain access to their targets’ networks. In recent years, APT28 has been using NTLM relay attacks to target high-value organizations. NTLM relay attacks are a type of brute force attack that can be used to gain access to a user’s account without knowing their password. The attack works by sending a user’s NTLM hash to a malicious server, which then attempts to use the hash to log into the user’s account. If the hash is valid, the attacker will be able to access the user’s account.
(TLP: CLEAR) Comments: APT28 has been using NTLM relay attacks to target organizations in the foreign affairs, energy, defense, and transportation sectors. They have also targeted organizations in the labor, social welfare, finance, parenthood, and local city councils’ sectors.
To carry out these attacks, APT28 has been using a variety of methods, including compromised EdgeOS routers, VPN services, Tor, and data center IP addresses. They have also been sending spear-phishing messages from compromised email accounts over Tor or VPN.
(TLP: CLEAR) Vercara: Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities (including NTLM vulnerabilities) are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting.
UltraWAF can also prevent some layer 7 DDoS attacks.
Sources: https://thehackernews.com/2024/02/russian-apt28-hackers-targeting-high.html
No, 3 million electric toothbrushes were not used in a DDoS attack.
(TLP: CLEAR) The article is about a DDoS attack that was allegedly conducted using 3 million electric toothbrushes. However, there is no evidence that this attack ever happened. Fortinet, who was attributed as the source of the article, has not published any information about this attack and has not responded to requests for comment. It is likely that this was a hypothetical scenario shared by Fortinet with the newspaper that was misunderstood or taken out of context.
(TLP: CLEAR) Comments: Electric toothbrushes do not connect directly to the internet but instead use Bluetooth to connect to mobile apps that then upload your data to web-based platforms. This means that a massive hack like this could only have been achieved through a supply chain attack that pushed down malicious firmware to the devices. However, there is no record of this happening.
(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.
Chinese hackers exploited FortiGate flaw to breach Dutch Military Network
(TLP: CLEAR) Chinese state-backed hackers exploited a critical security flaw in Fortinet FortiGate devices to breach a computer network used by the Dutch armed forces. The intrusion, which took place in 2023, leveraged a known critical security flaw in FortiOS SSL-VPN (CVE-2022- 42475, CVSS score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests.
(TLP: CLEAR) Comments: Successful exploitation of the flaw paved the way for the deployment of a backdoor dubbed COATHANGER from an actor-controlled server that’s designed to grant persistent remote access to the compromised appliances. The COATHANGER malware is stealthy and persistent, hiding itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades.
(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Sources: https://thehackernews.com/2024/02/chinese-hackers-exploited-fortigate.html
Fulton County suffers power outages as cyberattack continues.
(TLP: CLEAR) Fulton County in Georgia is suffering a cyberattack and a power outage. Government systems are offline, and it’s unknown when they’ll become operational again. Court filings, tax processing, and other services — including phone and Internet service, as well as the court system website — are reportedly also not functioning as usual.
(TLP: CLEAR) Comments: District Attorney Fani Willis, who indicted President Trump and 18 others in 2020, has been particularly affected by this cyberattack, though no connection has been identified. “At this time, we are not aware of any transfer of sensitive information about citizens or employees, but we will continue to look carefully at this issue,” said county official Robb Pitts. Pitts also noted earlier this week that the investigation was in its preliminary stages, but that the breach has caused a significant disturbance in the county, which includes parts of Atlanta. Sources say that the county systems may not be functioning again until next week.
(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Hackers exploit job boards, ztealing millions of resumes and personal data
(TLP: CLEAR) ResumeLooters, a hacking group that has been active since early 2023, has been targeting job search platforms and the theft of resumes in the Asia-Pacific (APAC) region. The group has compromised as many as 65 websites between November 2023 and December 2023, stealing sensitive data from over two million users.
(TLP: CLEAR) Comments: ResumeLooters uses a variety of techniques to steal data from job search websites, including SQL injection attacks and cross-site scripting (XSS) infections. The stolen data is then sold on Telegram channels. Here are some tips for protecting your data from ResumeLooters:
- Use strong passwords and unique usernames for all your online
- Enable two-factor authentication whenever
- Keep your software up to date with the latest security
- Be suspicious of any emails or websites that ask for your personal
- If you believe that your data has been compromised, contact the authorities
(TLP: CLEAR) Vercara: Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility.
Sources: https://thehackernews.com/2024/02/hackers-exploit-job-boards-in-apac.html
About Vercara.
The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.
To learn more about Vercara solutions, please visit our solutions overview page or contact us.
